For many purposes, including transactions and other communications on communication networks, passwords will provide the most widely accepted authentication method for the foreseeable future. Password based authentication is readily available independent of network and device technologies.
Passwords can be vulnerable to interception (known as “snooping”) while being transmitted to the authenticating machine or person. If the password is carried as electrical signals on unsecured physical wiring between the user access point and the central system controlling the password database, it is subject to snooping by wiretapping methods. If it is carried over the Internet, anyone able to watch the packets containing the logon information can snoop with very little possibility of detection. Cable modems may be more vulnerable to snooping than DSL and dialup connections, and ethernet may or may not be snoopable, depending particularly on the choice of networking hardware and wiring. Some organizations have noted a significant increase in stolen passwords after users began using cable internet connections.
The risk of interception of passwords sent over the Internet can be reduced with the Transport Layer Security (TLS, previously called SSL) feature built into many Internet browsers. Most browsers display a closed lock icon when TLS is in use.
Unfortunately, there is a conflict between stored hashed-passwords and hash-based challenge-response authentication; the latter requires a client to prove to a server that he knows what the shared secret (the password) is, and to do this, the server end needs to be able to obtain the shared secret from its stored form. On UNIX-type systems doing remote authentication, the shared secret becomes the hashed form and has the serious limitation that they expose passwords to offline guessing attack.
Rather than transmitting the password, password-authenticated key agreement systems can perform a zero-knowledge password proof, which proves knowledge of the password without revealing it. Taking it a step further, augmented systems for password-authenticated key agreement (e.g. AMP, B-SPEKE, PAK-Z, SRP-6) avoid both the conflict and limitation of hash-based methods; An augmented system allows a client to prove knowledge of the password to a server, where the server knows only a (not exactly) hashed password, and where the unhashed password is required to gain access.
Two-factor authentication (TFA) is an authentication technique that requires two independent ways to establish identity and privileges. This contrasts with traditional password authentication, which requires only one ‘factor’ (for example, knowledge of a static password) in order to gain access to a system.
The two ‘factors’ are generally:    ‘Something you know’, such as a password or PIN.    ‘Something you have’, such as a credit card or hardware token.Traditionally, two-factor authentication requires hardware tokens, which are expensive to distribute.
US-A-2003/0204726 discloses a method and system for secure transmission of information. A client sends to a server, a request, at least one unique identifier and an encryption key. The server generates a reply to the request and identifies a mobile device (based on the at least one unique identifier) to which to send the reply. The reply is encrypted using the encryption key. The encrypted reply is sent from the server to the identified client device. The request may be a request for an OTP.
US-A-2006/0059344 discloses an authentication service and aims to provide effective password delivery in communication systems. The technique disclosed comprises receiving key information for calculating at least one password by a user equipment from a communication network system via a secure channel, generating at least one password on the basis of the key information in the user equipment, and performing authentication between the user equipment and the communication network system using the at least one password. The intention is that password security and management be improved to reach the largest possible user base without authentication being the bottleneck for launching new services in mobile networks. Recently mobile operator's WLAN (Wireless Local Area Network) and xDSL (Digital Subscriber Line) authentication and access independent use of IMS (IP Multimedia Subsystem) and PoC (Push to talk over Cellular) services have suffered from strong coupling between the authentication, access network and terminal technologies. To minimize the SMS (Short Message Service) load that a conventional http digest password delivery causes, a Seed and Hash Approach is used. An entity in the communication network system, e.g. an operator's own service management system with a terminal management server generates the seed and optionally a (new) secret key, and sends it/them to the user equipment or terminal over SMS. The service management system generates and sends a new seed (and secret key) to the terminal after the number of generated passwords reaches a configurable threshold or a timeout expires. Requiring a subscriber to enter a PIN code before applying the hash function enhances the security of the mechanism. Applying different seeds, secret keys and/or hash functions can create password domains.
US-A-2005/0245257 discloses a system and method of using the PSTN in providing authentication or authorisation for online transactions. Using substantially simultaneous transmissions on two different networks to verify a user's identity. US-A-2006/0036857 discloses user authentication based on linking between a randomly generate authentication secret and a personalised secret.
US-A-0114675 discloses user authentication by creating a key in the form of a user formula, presenting a user with an arrangement of variables, each assigned a value, applying the assigned values to matching variables in the user formula and calculating a first result; the user is authenticated if the first result matches a second result of a separate and independent calculation of the user formula.
US-A-2005/0069137 discloses a method of distributing the public key of an asymmetric key pair with a private key and the public key from a mobile station to a key managing computer, the method comprising communicating an OTP from the key managing computer to the mobile station by mean of a secure channel to provide a shared secret, first and second codes are calculated at the mobile station and the key managing computer respectively, transmitting the first code and the public key to the key managing computer, checking the authenticity of the user by comparing the first and second codes.
US-A-2003/0172272 discloses authentication of a user identity, which uses two separate communication channels, including a communications network and a mobile communication channel. US-A-2005/0268107 discloses authentication of users via any one of two or three of 1) something the user knows; 2) something the user has; and 3) a physical characteristic of the user.
US-A-2006/0094401 discloses authentication in a wireless communication network. A secret is shared between a mobile and a home device. A remote device determines whether the mobile device can connect to the remote device by concurrently sending a challenge to the mobile and home devices and comparing the results.
A transaction authentication number, or TAN, is used by some online banking services as a form of single use passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.
An outline of how TANs function:
                1. The bank creates a set of unique TANs for the user. Typically, there are 50 TANs printed on a list, each 8 characters long, which is enough to last half a year for a normal user.        2. The user picks up the list from the nearest bank branch. The user must typically identify him/herself through presenting a passport, an ID card or similar document.        3. A few days later, the user receives a 5 digit password by mail to the user's home address. The user is requested to memorise the password, destroy the notice and keep the TAN list in a safe place near the PC.        4. To log on to his/her account, the user must enter a user name and password. This may give access to account information but the ability to process transactions is disabled.        5. To perform a transaction, the user enters the request and “signs” the transaction by entering an unused TAN. The bank verifies the TAN submitted against the list of TANs they issued to the user. If it is a match, the transaction is processed. If it is not a match, the transaction is rejected.        6. The TAN has now been consumed and will not be recognized for any further transactions.        7. If the TAN list is compromised, the user may cancel it by notifying the bank.TANs are believed to provide additional security because they act as a form of two-factor authentication. If the physical document containing the TANs is stolen, it will be of little use without the password. On the other hand, if a hacker cracks the user's password, they can not process transactions without the TAN.        